ISO 27001 certification in 10 easy steps

While technological advancements have enabled the expansion of businesses beyond conventional practices, it’s no secret that they have attracted the attention of cyber criminals more than ever. Consequently, cyber crimes are on the rise, and it is essential that organisations have strategies in place to protect themselves from damaging security breaches that can affect their reputation and business.

Compliance with the international information security management standard ISO 27001 provides an effective way of minimising cyber security risks and is becoming an increasingly popular choice for organisations. Certification to ISO 27001 provides additional assurance to your shareholders and clients that you’ve taken the necessary information security measures to reduce your risk of a breach.

According to the ISO Survey 2017, the global year after year growth for ISO 27001 adoption is increasing at about 20%. Asia-Pacific, however, accounts for more than 44% of the regional share, with a growth rate of 19%.

If you are considering obtaining ISO 27001 certification, here are a few pointers to help you along the way.

What should you do to get certified?

Prepare

Find out what ISO 27001:2013 is all about

Reading the Standard provides a good background to ISO 27001 and its requirements. There are a number of other ways you can familiarise yourself with ISO 27001:

An expert experienced in implementing an ISMS (information security management system) understands the requirements for achieving ISO 27001 certification. You may want to consider conducting a gap analysis to help you find out what your gaps are between what the standard outlines and your existing information security programme.

Securing the help of an ISO 27001 implementation specialist (either internal or external) can therefore make things easier for you.

A project is only successful with the support of senior management and leadership.

A gap analysis conducted by a specialist, which comprises a comprehensive review of all existing information security arrangements against the requirements of ISO 27001, is a very good starting point to help you build a business case for implementing ISO 27001. A comprehensive gap analysis should include a prioritised plan of recommended actions, and additional guidance for scoping your ISMS.

Establish the context, scope and objectives

It’s essential to establish the project and ISMS objectives from the outset. You’ll also need to consider the scope of the ISMS, which may cover the whole organisation or a specific department or geographical location.

The requirements of interested parties (stakeholders, employees, etc.) must be considered, and the organisational context (the internal and external factors that can influence your organisation’s information security) should not be overlooked.

Outlining the ISMS deliverables early on is crucial for the achievement of the objectives under the constraints of time, money and resources. You need to consider whether you will be using an external consultancy or in-house expertise, if available.

You might want to maintain full control of the project, while relying on the assistance of an online mentor during the critical stages. This will help steer your project in the right direction, while cutting back on the additional cost of appointing a full-time consultant.

You could consider our all-inclusive ISO27001 Get a Lot of Help Package, which includes up to 40 hours of structured consultancy with an implementation specialist and coach, delivered during live, online sessions at agreed times and according to a project plan.

Establish a management framework

The management framework describes the set of processes an organisation needs to follow to meet its ISO 27001 implementation objectives. These processes include assigning accountability for the ISMS, a schedule of activities and regular reviews to support a cycle of continuous improvement.

Conduct a risk assessment

Although ISO 27001 requires a formal risk assessment, it does not outline a specific risk assessment methodology that needs to be followed. The risk assessment process must be planned, and the data, analysis and results must be recorded.

Additionally, the baseline security criteria (an organisation’s business, legal and regulatory requirements and contractual obligations related to information security) should be determined before the risk assessment.

Implement controls to mitigate risks

After the risks have been identified, the next step is to determine whether they should be treated, tolerated, eliminated or transferred to an insurance agency.

It is crucial to document all the decisions regarding risk responses, as the auditor will want to review these during the certification audit. Additionally, it is mandatory to present the SoA (Statement of Applicability) and the RTP (risk treatment plan) as evidence of the risk assessment.

Conduct training

The Standard requires staff training programmes to be initiated to raise awareness about information security. An organisation-wide staff awareness e-learning course is the easiest way to introduce the Standard and to provide guidance about what employees should do to ensure compliance.

Review and update the required documentation

ISMS policies, processes and procedures require supporting documentation, but compiling them can often be tedious and challenging.

Things can be made easier by purchasing the ISO 27001 ISMS Documentation Toolkit, which has been developed by ISO 27001 experts. This contains a complete set of easy-to-use, customisable and fully ISO 27001-compliant documentation templates.

At a minimum, ISO 27001 requires the following documentation:

3 The scope of the ISMS

2 Information security policy

2 Information security risk assessment process

3 Information security risk treatment process

3 d) The SoA

2 Information security objectives

2 d) Evidence of competence

1 b) Documented information determined by the organisation as being necessary for the effectiveness of the ISMS

1 Operational planning and control

2 Results of the information security risk assessment

3 Results of the information security risk treatment

1 Evidence of the monitoring and measurement of results

2 A documented internal audit process

2 g) Evidence of the audit programmes and the audit results

3 Evidence of the results of management reviews

1 f) Evidence of the nature of the nonconformities and any subsequent actions taken

1 g) Evidence of the results of any corrective actions taken

Monitor and evaluate

ISO 27001 supports a process of continual improvement. This requires the performance of the ISMS to be constantly evaluated and reviewed for effectiveness and compliance, in addition to identifying improvements to existing processes and controls.

Conduct an internal audit

ISO 27001 requires internal audits of the ISMS at specified intervals. This necessitates the manager responsible for implementing and maintaining ISO 27001 compliance to have a practical, working knowledge of the lead auditing processes.

Alternatively, you may want to draw on an independent expert to conduct the internal audit, so that you can benefit from the advice of someone who is knowledgeable and knows what certification bodies expect.

Certification audits

The final step of ISO 27001 certification is a two-step audit process.

During the Stage One audit, an auditor evaluates if your documentation meets the requirements of ISO 27001. They also highlight any nonconformities and possible improvements to the management system.

The Stage Two audit consists of a thorough assessment to establish whether you are complying with ISO 27001.

How long will it take to get certified?

Depending on the size and complexity of the management system’s scope, with the right preparation it can take most small- to medium-sized organisations between 6 and 12 months to achieve ISO 27001 certification.

To accelerate the implementation process, consider getting an ISO 27001 expert to help you.

For companies with fewer than 19 staff, you might want to consider a FastTrack™ service, which prepares organisations for registration within three months for under $10,000.